Per Console Keys
Jump to navigation
Jump to search
per_console_root_key_0
- metldr is decrypted with this key
- bootldr is decrypted with this key
- might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)
See also Bootorder::Boot Sequence
per_console_root_key_1 / EID_root_key
- derived from per_console_key_0
- stored inside metldr
- copied to sector 0 by metldr
- cleared by isoldr
- Used to decrypt part of the EID
- Used to derive further keys (per_console_key_0 is not the key which will be derived, but is the key which has derived per_console_key_1)
- can be obtained with a modified isoldr that dumps it
- can be obtained with a derivation of this key going backwards
Obtaining It
Launch the patched isoldr with your prefered method, let it be Option 1, or Option 2...
Option 1 - Dumper Kernel Module
- modify glevands spp_verifier_direct to dump the mbox to wherever_you_want
http://pastebin.com/uTBbnC9B<-needs to be edited further
insmod ./spp_verifier_direct.ko cat metldr > /proc/spp_verifier_direct/metldr cat dump_eid_root_key.self > /proc/spp_verifier_direct/isoldr echo 1 > /proc/spp_verifier_direct/run cat /proc/spp_verifier_direct/debug hd /ls.bin | less
Option 2 - Dumper Payload
- patched isoldr to dump it
*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK PS3
- patched isoldr: http://www.wupload.com/file/1153650416/dump_eid_root_key.self
- this can be loaded as the payload stage2 in the payload marcan used to load linux
- this can also be loaded as with lv2patcher and payloader3
- payloader3.git
Comments
- What this selfs do is dump your ISOLATED SPU LS through your mbox, so you only need a way to cach this info with PPU code in lv2 enviroment aka a dongle payload or linux kernel
- This has been tested and proven to work on 3.55 MFW
- In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr.
- Overwritting that code lets you dump your key + metldr
- Consider that per_console_key_1 and per_console_key_n are in fact still in need decryption.
- per_console_key_0 particularly needs to be dumped once revived from per_console_key_1.
per_console_root_key_2 / EID0_key
- this key can be obtained through AES from EID_root_key
- EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self
- Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0
- This code is to decrypt your EID0 on your PC http://pastie.org/2000330
- The prerequisites are:
- dump your EID0 from your ps3 and save it in the same folder as EID0
- dump your EID0_key from your ps3 and put it on the code above where the key is needed
- load all of them in anergistic
- The prerequisites are:
- EID0_key could also be obtained with EID_root_key directly in the following manners:
- knowing the algorithm (located in isoldr) and applying it to the EID_root_key
- let isoldr apply that algorithm directly in anergistic
- the process is exactly as the one above (modifing anergistic to feed isoldr with EID_root_key
Obtaining It
- patched aim_spu_module to dump it
*DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
- http://www.multiupload.com/1XUOOYS9I0
- http://dl.dropbox.com/u/35197530/aim.self (to be verified. if it is the same file, i'll upload it again to mediafire
per_console_root_key_n
These are further derivations of the per_console_key_1/EID_root_key